iRules novice here !! I have a need to add the real client IP into the HTTP header when using a SNAT rule, but I need to do it dynamically. this is due to the upstream proxy using client IP addresses to determine policy for web browsing. I understand this can be done somehow using iRules and remote_addr or something - only thing is I am not a software type geeza, so programming for me is like coming to terms with 3 heads !! has anyone done this before and maybe supply some code, or can anyone shed light on what is needed? help oh help !!

This is actually something a lot of people do... So here is an example that preserves the original client IP in a HTTP header called "ORIG_CLIENT_IP" (you could replace the name with any other name you want and/or also put it in a cookie to the server: rule preserve_client_ip { when HTTP_REQUEST { HTTP::header insert ORIG_CLIENT_IP [IP::remote_addr] } } And there you have it. If you wanted to add it as a cookie then use the instead: HTTP::cookie insert ORIG_CLIENT_IP [IP::remote_addr]

And if you want a standards-based X-Forwarded-For trace header, you can do this without an iRule: b profile http http insert xforwarded for enable

Netscaler provides an ISAPI filter on the server side which allows the IIS logs to recognize the true customer's ip address rather than the load balanced one. Is there anything similar that F5 offers? Can one do this with irules?

Hi- I read your post on adding Original Client IP to the HTTP Request, I tried your rule verbatim in our BigIP 9.0.3 and received the foillwing error: 01070151:3: Rule [preserve_client_ip] error: line 1: [undefined procedure: rule] [rule preserve_client_ip { when HTTP_REQUEST { HTTP::header insert ORIG_CLIENT_IP [IP::remote_addr] } }] Any ideas on what I can do to correct this? I also included a screenshot attached

I'm not sure why you think you need FastHTTP. Generally, FastHTTP is a less complex, lightweight HTTP processing engine that runs a lot faster, but without the flexibility afforded by using the full HTTP proxy. I don't know of any requirement that would force you to use the FastHTTP profile unless it's for your own performance requirements.

inserting client ip address into header when using SNAT

15 Replies

troy_hojel_2205
Nimbostratus
Jan 26, 2005
i get the following error from the rule properties page

Error 331835 -- Rule string to tree failed. - syntax error at 'when'

line 2: when HTTP_REQUEST {

when entering.........

when HTTP_REQUEST {

HTTP::header insert ORIG_CLIENT_IP [IP::remote_addr]

}
unRuleY_95363
Historic F5 Account
Jan 27, 2005
I'm not sure what's going on here. The format of the error message isn't what I'd expect. Also, it suspicously reports the error on line 2 - what's on line 1? If this problem persists please call support.

Nick_Johnston_2

Nimbostratus

Feb 07, 2005

Any info on the error that we are getting? We consistently get the PREPEND_HEADERS error when attempting the TXT file download. We originally thought the extra 2 bytes at the end of the content was causing a problem with BigIP delivering the file, but this following iRule failed to correct the problem.

  
  rule handle_two_trailing_bytes {  
     when HTTP_REQUEST {  
        set two_byte_error 0  
        if { [HTTP::uri] contains "export.fetchFile" } {  
           set two_byte_error 1  
        }  
        HTTP::header insert ORIG_CLIENT_IP [IP::remote_addr]  
     }  
     when HTTP_RESPONSE {  
        if { $two_byte_error } {  
           set content_len [HTTP::header Content-Length]  
           incr content_len 2  
           HTTP::header replace Content-Length $content_len  
        }  
     }  
  }

What exactly does the error mean?

unRuleY_95363

Historic F5 Account

Feb 08, 2005

The above rule was not complete. If the two extra bytes followed in a separate TCP packet, then the HTTP_RESPONSE_DATA would not have received them at the time it was evaluated. The following rule is more complete in this regard:

 
 rule handle_two_trailing_bytes { 
    when HTTP_REQUEST { 
       set two_byte_error 0 
       if { [HTTP::uri] contains "export.fetchFile" } { 
          set two_byte_error 1 
       } 
       HTTP::header insert ORIG_CLIENT_IP [IP::remote_addr] 
    } 
    when HTTP_RESPONSE { 
       if { $two_byte_error } { 
           Get the correct length 
          set content_len [HTTP::header Content-Length] 
           Collect the body and attempt to pick up the 2 extra bytes 
          HTTP::collect [expr $content_len + 2] 
       } 
    } 
    when HTTP_RESPONSE_DATA { 
        Determine how much we collected 
       set delta [expr $content_len + 2 - [HTTP::payload length]] 
       if { $delta < 2 } { 
           HTTP already received extra bytes, remove them here 
          HTTP::payload replace $content_len [expr 2 - $delta] "" 
          HTTP::header replace "Content-Length" $content_len 
       } 
       if { $delta > 0 } { 
           Have TCP layer collect and discard any extra bytes 
          TCP::collect $delta 
       } 
       HTTP::release 
    } 
    when SERVER_DATA { 
        Remove the extra bytes 
       TCP::payload replace 0 $delta "" 
       TCP::release 
    } 
 }

tonio_tian_1127
Nimbostratus
May 13, 2005
It's good!

studing!!!!

Forum Discussion

inserting client ip address into header when using SNAT

15 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Is it possible to create a Single Pool with multiple ports ?

F5 object groups in AFM

Round-robin method not load balanced

F5 ASM with fortisandbox

Disabling signature for a URL

Related Content

Security Headers Insertion

Insert Client Certificate In Serverside HTTP Headers

Inserting a http header on the response to the client

F5 BIG-IP deployment with Red Hat OpenShift - keeping client IP addresses and egress flows

APM custom address space by client IP?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS